The ransomware attacks this week on MGM International and Caesars Entertainment are all over the news, and it’s been widely reported that Caesar’s allegedly paid several millions in ransom and that MGM was in negotiations with the attackers.
While these incidents have caused great disruption at Las Vegas casinos, what’s been most frustrating to security industry pros is that the social engineering and execution tactics of Scattered Spider — the threat group behind the attacks — have been well-known for several months.
Callie Guenther, cyber threat research senior manager at Critical Start, said Scattered Spider operates as a financially driven threat actor that has been active since at least May 2022.
In one of their recent attacks, Guenther said Scattered Spider used what's known as a Bring Your Own Vulnerable Driver (BYOVD) technique that involves the deployment of a vulnerable kernel-mode driver, such as the Intel Ethernet diagnostics drivers, as a way to gain elevated privileges within Windows systems, thereby evading endpoint detection and response (EDR) solutions.
“Since device drivers have direct kernel access, exploiting a flaw in them allows threat actors like Scattered Spider to execute code with the highest privileges in Windows,” explained Guenther.
Scattered Spider, also known as UNC3944 by Mandiant Google Cloud, is composed of hackers based in the United States and UK, some as young as 19 years old.
In a LinkedIn post yesterday, Charles Carmakal, a Mandiant Consulting CTO at Google Cloud, said while memb ..
Support the originator by clicking the read the rest link below.
